CVE-2017-16803

In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree function in libavcodec/smacker.c does not properly restrict tree recursion, which allows remote attackers to cause a denial of service (bitstream.c:build_table() out-of-bounds read and application crash) via a crafted Smacker stream.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
libavlibav
𝑥
≤ 11.11
libavlibav
12.0
libavlibav
12.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ffmpeg
bullseye
7:4.3.7-0+deb11u1
fixed
bullseye (security)
7:4.3.8-0+deb11u1
fixed
bookworm
7:5.1.6-0+deb12u1
fixed
bookworm (security)
7:5.1.6-0+deb12u1
fixed
sid
7:7.1-3
fixed
trixie
7:7.1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libav
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
focal
dne
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
xenial
dne
trusty
needed
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/101882
https://bugzilla.libav.org/show_bug.cgi?id=1098
https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f
https://security.gentoo.org/glsa/201811-19
https://www.debian.org/security/2018/dsa-4119
http://www.securityfocus.com/bid/101882
https://bugzilla.libav.org/show_bug.cgi?id=1098
https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f
https://security.gentoo.org/glsa/201811-19
https://www.debian.org/security/2018/dsa-4119